rfc8891xml2.original.xml   rfc8891.xml 
<?xml version="1.0" encoding="US-ASCII"?> <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd">
<?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?>
<?rfc strict="yes" ?>
<?rfc toc="yes"?>
<?rfc symrefs="yes"?>
<?rfc sortrefs="yes" ?>
<?rfc compact="yes" ?>
<?rfc subcompact="no" ?>
<rfc category="info" docName="draft-dolmatov-magma-06" ipr="trust200902"
updates="5830">
<front>
<title>GOST R 34.12-2015: Block Cipher "Magma"</title>
<!----> <!DOCTYPE rfc SYSTEM "rfc2629-xhtml.ent">
<!----> <rfc xmlns:xi="http://www.w3.org/2001/XInclude" submissionType="independent"
category="info" docName="draft-dolmatov-magma-06" number="8891"
ipr="trust200902" updates="5830" obsoletes="" xml:lang="en"
tocInclude="true" symRefs="true" sortRefs="true" version="3">
<!-- xml2rfc v2v3 conversion 2.43.0 -->
<front>
<title>GOST R 34.12-2015: Block Cipher "Magma"</title>
<seriesInfo name="RFC" value="8891"/>
<author fullname="Vasily Dolmatov" initials="V." surname="Dolmatov" role="ed itor"> <author fullname="Vasily Dolmatov" initials="V." surname="Dolmatov" role="ed itor">
<organization>JSC "NPK Kryptonite"</organization> <organization>JSC "NPK Kryptonite"</organization>
<address> <address>
<postal> <postal>
<street>Spartakovskaya sq., 14, bld 2, JSC "NPK Kryptonite"</street> <street>Spartakovskaya sq., 14, bld 2, JSC "NPK Kryptonite"</street>
<city>Moscow</city> <city>Moscow</city>
<region/> <region/>
<code>105082</code> <code>105082</code>
<country>Russian Federation</country> <country>Russian Federation</country>
</postal> </postal>
<email>vdolmatov@gmail.com</email> <email>vdolmatov@gmail.com</email>
</address> </address>
</author> </author>
<author fullname="Dmitry Baryshkov" initials="D." surname="Baryshkov">
<author fullname="Dmitry Baryshkov" initials="D." <organization>Auriga, Inc.</organization>
surname="Baryshkov">
<organization>Auriga, Inc</organization>
<address> <address>
<postal> <postal>
<street>Torfyanaya Doroga, 7F, office 1410</street> <street>Torfyanaya Doroga, 7F</street>
<extaddr>office 1410</extaddr>
<city>Saint-Petersburg</city> <city>Saint-Petersburg</city>
<region/> <region/>
<code>197374</code> <code>197374</code>
<country>Russian Federation</country> <country>Russian Federation</country>
</postal> </postal>
<email>dbaryshkov@gmail.com</email> <email>dbaryshkov@gmail.com</email>
</address> </address>
</author> </author>
<date month="September" year="2020"/>
<date month="" year="2020"/>
<area>General</area> <area>General</area>
<workgroup>Internet Engineering Task Force</workgroup> <workgroup>Internet Engineering Task Force</workgroup>
<keyword>Magma</keyword> <keyword>Magma</keyword>
<keyword>Block Cipher</keyword> <keyword>Block Cipher</keyword>
<abstract> <abstract>
<t>In addition to a new cipher with block length of n=128 bits (referred <t>In addition to a new cipher with a block length of n=128 bits (referred
to as "Kyznyechik" and described in RFC 7801) Russian Federal standard to as "Kuznyechik" and described in RFC 7801), Russian Federal standard
GOST R 34.12-2015 includes an updated version of the block GOST R 34.12-2015 includes an updated version of the block
cipher with block length of n=64 bits and key length k=256 bits, which cipher with a block length of n=64 bits and key length of k=256 bits, wh ich
is also referred to as "Magma". The algorithm is an updated version of is also referred to as "Magma". The algorithm is an updated version of
an older block cipher with block length of n=64 bits described in GOST an older block cipher with a block length of n=64 bits described in GOST
28147-89 (RFC 5830). This document is intended to be a source 28147-89 (RFC 5830). This document is intended to be a source
of information about the updated version of the 64-bit cipher. It may of information about the updated version of the 64-bit cipher. It may
facilitate the use of the block cipher in Internet applications by facilitate the use of the block cipher in Internet applications by
providing information for developers and users of GOST 64-bit providing information for developers and users of the GOST 64-bit
cipher with the revised version of the cipher for encryption and cipher with the revised version of the cipher for encryption and
decryption.</t> decryption.</t>
</abstract> </abstract>
</front> </front>
<middle> <middle>
<section title="Introduction"> <section numbered="true" toc="default">
<t>The Russian Federal standard <xref target="GOSTR3412-2015"/> <name>Introduction</name>
<t>The Russian Federal standard <xref target="GOSTR3412-2015" format="defa
ult"/>
specifies basic block ciphers used as cryptographic techniques for specifies basic block ciphers used as cryptographic techniques for
information processing and information protection including the information processing and information protection, including the
provision of confidentiality, authenticity, and integrity of information provision of confidentiality, authenticity, and integrity of information
during information transmission, processing and storage in during information transmission, processing, and storage in
computer-aided systems.</t> computer-aided systems.</t>
<t>The cryptographic algorithms defined in this specification are <t>The cryptographic algorithms defined in this specification are
designed both for hardware and software implementation. They comply designed both for hardware and software implementation. They comply
with modern cryptographic requirements, and put no restrictions on the with modern cryptographic requirements and put no restrictions on the
confidentiality level of the protected information.</t> confidentiality level of the protected information.</t>
<t>This document is intended to be a source of information about the <t>This document is intended to be a source of information about the
updated version of 64-bit cipher. It may facilitate the use of the updated version of the 64-bit cipher. It may facilitate the use of the
block cipher in Internet applications by providing information for block cipher in Internet applications by providing information for
developers and users of GOST 64-bit cipher with the revised version of developers and users of a GOST 64-bit cipher with the revised version of
the cipher for encryption and decryption.</t> the cipher for encryption and decryption.</t>
</section> </section>
<section numbered="true" toc="default">
<section title="General Information"> <name>General Information</name>
<t>The Russian Federal standard <xref target="GOSTR3412-2015"/> was <t>The Russian Federal standard <xref target="GOSTR3412-2015"
format="default"/> was
developed by the Center for Information Protection and Special developed by the Center for Information Protection and Special
Communications of the Federal Security Service of the Russian Federation Communications of the Federal Security Service of the Russian Federation,
with participation of the Open Joint-Stock company "Information with participation of the open joint-stock company "Information
Technologies and Communication Systems" (InfoTeCS JSC). GOST R Technologies and Communication Systems" (InfoTeCS JSC). GOST R
34.12-2015 was approved and introduced by Decree #749 of the Federal 34.12-2015 was approved and introduced by Decree #749 of the Federal
Agency on Technical Regulating and Metrology on 19.06.2015.</t> Agency on Technical Regulating and Metrology on June 19, 2015.</t>
<t>Terms and concepts in the specification comply with the following <t>Terms and concepts in the specification comply with the following
international standards: <list style="symbols"> international standards: </t>
<t>ISO/IEC 10116 <xref target="ISO-IEC10116"/>,</t> <ul spacing="normal">
<li>ISO/IEC 10116 <xref target="ISO-IEC10116" format="default"/></li>
<t>series of standards ISO/IEC 18033 <xref <li>series of standards ISO/IEC 18033 <xref target="ISO-IEC18033-1" form
target="ISO-IEC18033-1"/>, <xref target="ISO-IEC18033-3"/>.</t> at="default"/><xref target="ISO-IEC18033-3" format="default"/></li>
</list></t> </ul>
</section> </section>
<section anchor="section_defs_notation" numbered="true" toc="default">
<section title="Definitions and Notations" anchor="section_defs_notation" > <name>Definitions and Notation</name>
<t>The following terms and their corresponding definitions are used in <t>The following terms and their corresponding definitions are used in
the specification.</t> the specification.</t>
<section numbered="true" toc="default">
<section title="Definitions"> <name>Definitions</name>
<t>Definitions <list style="empty"> <dl>
<t>encryption algorithm: process which transforms plaintext into <dt>encryption algorithm:</dt><dd>process that transforms plaintext in
ciphertext (Clause 2.19 of <xref target="ISO-IEC18033-1"/>),</t> to
ciphertext (Clause 2.19 of <xref target="ISO-IEC18033-1" format="def
<t>decryption algorithm: process which transforms ciphertext into ault"/>)</dd>
plaintext (Clause 2.14 of <xref target="ISO-IEC18033-1"/>),</t> <dt>decryption algorithm:</dt><dd>process that transforms ciphertext i
nto
<t>basic block cipher: block cipher which for a given key provides plaintext (Clause 2.14 of <xref target="ISO-IEC18033-1" format="defa
ult"/>)</dd>
<dt>basic block cipher:</dt><dd>block cipher that, for a given key, pr
ovides
a single invertible mapping of the set of fixed-length plaintext a single invertible mapping of the set of fixed-length plaintext
blocks into ciphertext blocks of the same length,</t> blocks into ciphertext blocks of the same length</dd>
<dt>block:</dt><dd>string of bits of a defined length (Clause 2.6 of <
<t>block: string of bits of a defined length (Clause 2.6 of <xref xref
target="ISO-IEC18033-1"/>),</t> target="ISO-IEC18033-1" format="default"/>)</dd>
<dt>block cipher:</dt><dd><t>symmetric encipherment system with the pr
<t>block cipher: symmetric encipherment system with the property operty
that the encryption algorithm operates on a block of plaintext, that the encryption algorithm operates on a block of plaintext --
i.e. a string of bits of a defined length, to yield a block of i.e., a string of bits of a defined length -- to yield a block of
ciphertext (Clause 2.7 of <xref target="ISO-IEC18033-1"/>), <list ciphertext (Clause 2.7 of <xref target="ISO-IEC18033-1"
style="empty"> format="default"/>)</t>
<t>Note: In GOST R 34.12-2015, it is established that the <t>Note: In GOST R 34.12-2015, it is established that the
terms "block cipher" and "block encryption algorithm" are terms "block cipher" and "block encryption algorithm" are
synonyms.</t> synonyms.</t></dd>
</list></t>
<t>encryption: reversible transformation of data by a <dt>encryption:</dt><dd>reversible transformation of data by a
cryptographic algorithm to produce ciphertext, i.e., to hide the cryptographic algorithm to produce ciphertext -- i.e., to hide the
information content of the data (Clause 2.18 of <xref information content of the data (Clause 2.18 of <xref
target="ISO-IEC18033-1"/>),</t> target="ISO-IEC18033-1" format="default"/>)</dd>
<dt>round key:</dt><dd>sequence of symbols that is calculated from the
<t>round key: sequence of symbols which is calculated from the key key
and controls a transformation for one round of a block cipher,</t> and controls a transformation for one round of a block cipher</dd>
<t>key: sequence of symbols that controls the operation of a <dt>key:</dt><dd><t>sequence of symbols that controls the operation of a
cryptographic transformation (e.g., encipherment, decipherment) cryptographic transformation (e.g., encipherment, decipherment)
(Clause 2.21 of <xref target="ISO-IEC18033-1"/>), <list (Clause 2.21 of <xref target="ISO-IEC18033-1" format="default"/>)</t
style="empty"> >
<t>Note: In GOST R 34.12-2015, the key must be a binary <t>Note: In GOST R 34.12-2015, the key must be a binary
sequence.</t> sequence.</t></dd>
</list></t>
<t>plaintext: unencrypted information (Clause 3.11 of <xref
target="ISO-IEC10116"/>),</t>
<t>key schedule: calculation of round keys from the key,</t>
<t>decryption: reversal of a corresponding encipherment (Clause
2.13 of <xref target="ISO-IEC18033-1"/>),</t>
<t>symmetric cryptographic technique: cryptographic technique that <dt>plaintext:</dt><dd>unencrypted information (Clause 3.11 of <xref
target="ISO-IEC10116" format="default"/>)</dd>
<dt>key schedule:</dt><dd>calculation of round keys from the key,</dd>
<dt>decryption:</dt><dd>reversal of a corresponding encipherment (Clau
se
2.13 of <xref target="ISO-IEC18033-1" format="default"/>)</dd>
<dt>symmetric cryptographic technique:</dt><dd>cryptographic technique
that
uses the same secret key for both the originator's and the uses the same secret key for both the originator's and the
recipient's transformation (Clause 2.32 of <xref recipient's transformation (Clause 2.32 of <xref
target="ISO-IEC18033-1"/>),</t> target="ISO-IEC18033-1" format="default"/>)</dd>
<dt>cipher:</dt><dd>alternative term for encipherment system (Clause 2
<t>cipher: alternative term for encipherment system (Clause 2.20 .20
of <xref target="ISO-IEC18033-1"/>),</t> of <xref target="ISO-IEC18033-1" format="default"/>)</dd>
<dt>ciphertext:</dt><dd>data that has been transformed to hide its
<t>ciphertext: data which has been transformed to hide its information content (Clause 3.3 of <xref target="ISO-IEC10116"
information content (Clause 3.3 of <xref format="default"/>)</dd>
target="ISO-IEC10116"/>).</t> </dl>
</list></t>
</section> </section>
<section numbered="true" toc="default">
<section title="Notations"> <name>Notation</name>
<t>The following notations are used in the specification: <list <t>The following notation is used in the specification: </t>
style="hanging"> <dl newline="false" spacing="normal">
<t hangText=" V*">the set of all binary vector-strings of a <dt>V*</dt>
finite length (hereinafter referred to as the strings) including <dd>the set of all binary vector strings of a
the empty string,</t> finite length (hereinafter referred to as the strings), including
the empty string</dd>
<t hangText=" V_s">the set of all binary strings of length s, <dt>V_s</dt>
where s is a non-negative integer; substrings and string <dd>the set of all binary strings of length s,
components are enumerated from right to left starting from where s is a nonnegative integer; substrings and string
zero,</t> components are enumerated from right to left, starting from
zero</dd>
<t hangText=" U[*]W">direct (Cartesian) product of two sets U and <dt>U[*]W</dt>
W,</t> <dd>direct (Cartesian) product of two sets U and W</dd>
<dt>|A|</dt>
<t hangText=" |A|">the number of components (the length) of a <dd>the number of components (the length) of a
string A belonging to V* (if A is an empty string, then |A| = string A belonging to V* (if A is an empty string, then |A| =
0),</t> 0)</dd>
<dt>A||B</dt>
<t hangText=" A||B">concatenation of strings A and B both <dd>concatenation of strings A and B both
belonging to V*, i.e., a string from V_(|A|+|B|), where the left belonging to V* -- i.e., a string from V_(|A|+|B|), where the left
substring from V_|A| is equal to A and the right substring from substring from V_|A| is equal to A and the right substring from
V_|B| is equal to B,</t> V_|B| is equal to B</dd>
<dt>A&lt;&lt;&lt;_11</dt>
<t hangText=" A&lt;&lt;&lt;_11">cyclic rotation of string A <dd>cyclic rotation of string A
belonging to V_32 by 11 components in the direction of components belonging to V_32 by 11 components in the direction of components
having greater indices,</t> having greater indices</dd>
<dt>Z_(2^n)</dt>
<t hangText=" Z_(2^n)">ring of residues modulo 2^n,</t> <dd>ring of residues modulo 2^n</dd>
<dt>(xor)</dt>
<t hangText=" (xor)">exclusive-or of the two binary strings of <dd>exclusive-or of two binary strings of the same length</dd>
the same length,</t> <dt>[+]</dt>
<dd>addition in the ring Z_(2^32)</dd>
<t hangText=" [+]">addition in the ring Z_(2^32)</t> <dt>Vec_s: Z_(2^s) -&gt; V_s</dt>
<dd>bijective mapping that maps an element from ring Z_(2^s) into
<t hangText="Vec_s: Z_(2^s) -&gt; V_s">bijective mapping which its binary representation; i.e., for an element z of the
maps an element from ring Z_(2^s) into its binary representation, ring Z_(2^s), represented by the
i.e., for an element z of the ring Z_(2^s), represented by the
residue z_0 + (2*z_1) + ... + (2^(s-1)*z_(s-1)), where z_i in {0, residue z_0 + (2*z_1) + ... + (2^(s-1)*z_(s-1)), where z_i in {0,
1}, i = 0, ..., n-1, the equality Vec_s(z) = 1}, i = 0, ..., n-1, the equality Vec_s(z) =
z_(s-1)||...||z_1||z_0 holds,</t> z_(s-1)||...||z_1||z_0 holds</dd>
<dt>Int_s: V_s -&gt; Z_(2^s)</dt>
<t hangText="Int_s: V_s -&gt; Z_(2^s)">the mapping inverse to the <dd>the mapping inverse to the mapping Vec_s, i.e., Int_s =
mapping Vec_s, i.e., Int_s = Vec_s^(-1),</t> Vec_s^(-1)</dd>
<dt>PS</dt>
<t hangText=" PS">composition of mappings, where the mapping <dd>composition of mappings, where the mapping
S applies first,</t> S applies first</dd>
<dt>P^s</dt>
<t hangText=" P^s">composition of mappings P^(s-1) and P, <dd>composition of mappings P^(s-1) and P, where P^1=P</dd>
where P^1=P,</t> </dl>
</list></t>
</section> </section>
</section> </section>
<section numbered="true" toc="default">
<section title="Parameter Values"> <name>Parameter Values</name>
<section title="Nonlinear Bijection"> <section numbered="true" toc="default">
<name>Nonlinear Bijection</name>
<t>The bijective nonlinear mapping is a set of substitutions:</t> <t>The bijective nonlinear mapping is a set of substitutions:</t>
<artwork name="" type="" align="left" alt=""><![CDATA[
<figure> Pi_i = Vec_4 Pi'_i Int_4: V_4 -> V_4,
<artwork><![CDATA[Pi_i = Vec_4 Pi'_i Int_4: V_4 -> V_4,]]></artwork> ]]></artwork>
</figure>
<t>where</t> <t>where</t>
<artwork name="" type="" align="left" alt=""><![CDATA[
<figure> Pi'_i: Z_(2^4) -> Z_(2^4), i = 0, 1, ..., 7.
<artwork><![CDATA[Pi'_i: Z_(2^4) -> Z_(2^4), i = 0, 1, ..., 7.]]></art ]]></artwork>
work>
</figure>
<t>The values of the substitution Pi' are specified below as <t>The values of the substitution Pi' are specified below as
arrays</t> arrays.</t>
<artwork name="" type="" align="left" alt="">
<figure align="left"> <![CDATA[Pi'_i = (Pi'_i(0), Pi'_i(1), ... , Pi'_i(15)), i = 0, 1, ..., 7:
<artwork><![CDATA[Pi'_i = (Pi'_i(0), Pi'_i(1), ... , Pi'_i(15)), i = 0
, 1, ..., 7:
Pi'_0 = (12, 4, 6, 2, 10, 5, 11, 9, 14, 8, 13, 7, 0, 3, 15, 1); Pi'_0 = (12, 4, 6, 2, 10, 5, 11, 9, 14, 8, 13, 7, 0, 3, 15, 1);
Pi'_1 = (6, 8, 2, 3, 9, 10, 5, 12, 1, 14, 4, 7, 11, 13, 0, 15); Pi'_1 = (6, 8, 2, 3, 9, 10, 5, 12, 1, 14, 4, 7, 11, 13, 0, 15);
Pi'_2 = (11, 3, 5, 8, 2, 15, 10, 13, 14, 1, 7, 4, 12, 9, 6, 0); Pi'_2 = (11, 3, 5, 8, 2, 15, 10, 13, 14, 1, 7, 4, 12, 9, 6, 0);
Pi'_3 = (12, 8, 2, 1, 13, 4, 15, 6, 7, 0, 10, 5, 3, 14, 9, 11); Pi'_3 = (12, 8, 2, 1, 13, 4, 15, 6, 7, 0, 10, 5, 3, 14, 9, 11);
Pi'_4 = (7, 15, 5, 10, 8, 1, 6, 13, 0, 9, 3, 14, 11, 4, 2, 12); Pi'_4 = (7, 15, 5, 10, 8, 1, 6, 13, 0, 9, 3, 14, 11, 4, 2, 12);
Pi'_5 = (5, 13, 15, 6, 9, 2, 12, 10, 11, 7, 8, 1, 4, 3, 14, 0); Pi'_5 = (5, 13, 15, 6, 9, 2, 12, 10, 11, 7, 8, 1, 4, 3, 14, 0);
Pi'_6 = (8, 14, 2, 5, 6, 9, 1, 12, 15, 4, 11, 0, 13, 10, 3, 7); Pi'_6 = (8, 14, 2, 5, 6, 9, 1, 12, 15, 4, 11, 0, 13, 10, 3, 7);
Pi'_7 = (1, 7, 14, 13, 0, 5, 8, 3, 4, 15, 10, 6, 9, 12, 11, 2);]]></artwork> Pi'_7 = (1, 7, 14, 13, 0, 5, 8, 3, 4, 15, 10, 6, 9, 12, 11, 2);]]></artwork>
</figure>
</section> </section>
<section numbered="true" toc="default">
<section title="Transformations"> <name>Transformations</name>
<t>The following transformations are applicable for encryption and <t>The following transformations are applicable for encryption and
decryption algorithms: <list style="hanging"> decryption algorithms: </t>
<t hangText="t: V_32 -&gt; V_32">t(a) = t(a_7||...||a_0) = <dl newline="true" spacing="normal">
<dt>t: V_32 -&gt; V_32</dt>
<dd>t(a) = t(a_7||...||a_0) =
Pi_7(a_7)||...||Pi_0(a_0), where a=a_7||...||a_0 belongs to V_32, Pi_7(a_7)||...||Pi_0(a_0), where a=a_7||...||a_0 belongs to V_32,
a_i belongs to V_4, i=0, 1, ..., 7;</t> a_i belongs to V_4, i=0, 1, ..., 7.</dd>
<dt>g[k]: V_32 -&gt; V_32</dt>
<t hangText="g[k]: V_32 -&gt; V_32">g[k](a) = (t(Vec_32(Int_32(a) <dd>g[k](a) = (t(Vec_32(Int_32(a)
[+] Int_32(k)))) &lt;&lt;&lt;_11, where k, a belong to V_32;</t> [+] Int_32(k)))) &lt;&lt;&lt;_11, where k, a belong to V_32</dd>
<dt>G[k]: V_32[*]V_32 -&gt; V_32[*]V_32</dt>
<t hangText="G[k]: V_32[*]V_32 -&gt; V_32[*]V_32">G[k](a_1, a_0) = <dd>G[k](a_1, a_0) =
(a_0, g[k](a_0) (xor) a_1), where k, a_0, a_1 belong to V_32;</t> (a_0, g[k](a_0) (xor) a_1), where k, a_0, a_1 belong to V_32</dd>
<dt>G^*[k]: V_32[*]V_32 -&gt; V_64</dt>
<t hangText="G^*[k]: V_32[*]V_32 -&gt; V_64">G^*[k](a_1, a_0) = <dd>G^*[k](a_1, a_0) =
(g[k](a_0) (xor) a_1) || a_0, where k, a_0, a_1 belong to (g[k](a_0) (xor) a_1) || a_0, where k, a_0, a_1 belong to
V_32.</t> V_32.</dd>
</list></t> </dl>
</section> </section>
<section numbered="true" toc="default">
<section title="Key Schedule"> <name>Key Schedule</name>
<t>Round keys K_i belonging to V_32, i=1, 2, ..., 32 are derived from <t>Round keys K_i belonging to V_32, i=1, 2, ..., 32 are derived from
key K=k_255||...||k_0 belonging to V_256, k_i belongs to V_1, i=0, 1, key K = k_255||...||k_0 belonging to V_256, k_i belongs to V_1, i=0, 1,
..., 255, as follows:</t> ..., 255, as follows:</t>
<artwork align="left" name="" type="" alt=""><![CDATA[
<figure> K_1 = k_255||...||k_224;
<artwork align="left"><![CDATA[ K_2 = k_223||...||k_192;
K_1=k_255||...||k_224; K_3 = k_191||...||k_160;
K_2=k_223||...||k_192; K_4 = k_159||...||k_128;
K_3=k_191||...||k_160; K_5 = k_127||...||k_96;
K_4=k_159||...||k_128; K_6 = k_95||...||k_64;
K_5=k_127||...||k_96; K_7 = k_63||...||k_32;
K_6=k_95||...||k_64; K_8 = k_31||...||k_0;
K_7=k_63||...||k_32; K_(i+8) = K_i, i = 1, 2, ..., 8;
K_8=k_31||...||k_0; K_(i+16) = K_i, i = 1, 2, ..., 8;
K_(i+8)=K_i, i = 1, 2, ..., 8; K_(i+24) = K_(9-i), i = 1, 2, ..., 8.]]></artwork>
K_(i+16)=K_i, i = 1, 2, ..., 8;
K_(i+24)=K_(9-i), i = 1, 2, ..., 8.]]></artwork>
</figure>
</section> </section>
</section> </section>
<section numbered="true" toc="default">
<section title="Basic Encryption Algorithm"> <name>Basic Encryption Algorithm</name>
<section title="Encryption"> <section numbered="true" toc="default">
<name>Encryption</name>
<t>Depending on the values of round keys K_1,...,K_32, the encryption <t>Depending on the values of round keys K_1,...,K_32, the encryption
algorithm is a substitution E_(K_1,...,K_32) defined as follows:</t> algorithm is a substitution E_&wj;(K_1,...,K_32) defined as follows:</t>
<artwork align="left" name="" type="" alt=""><![CDATA[E_(K_1,...,K_32)(a
<figure> )=G^*[K_32]G[K_31]...G[K_2]G[K_1](a_1, a_0),]]></artwork>
<artwork align="left"><![CDATA[E_(K_1,...,K_32)(a)=G^*[K_32]G[K_31]...
G[K_2]G[K_1](a_1, a_0),]]></artwork>
</figure>
<t>where a=(a_1, a_0) belongs to V_64, and a_0, a_1 belong to <t>where a=(a_1, a_0) belongs to V_64, and a_0, a_1 belong to
V_32.</t> V_32.</t>
</section> </section>
<section numbered="true" toc="default">
<section title="Decryption"> <name>Decryption</name>
<t>Depending on the values of round keys K_1,...,K_32, the decryption <t>Depending on the values of round keys K_1,...,K_32, the decryption
algorithm is a substitution D_(K_1,...,K_32) defined as follows:</t> algorithm is a substitution D_&wj;(K_1,...,K_32) defined as follows:</t>
<artwork align="left" name="" type="" alt=""><![CDATA[D_(K_1,...,K_32)(a
<figure> )=G^*[K_1]G[K_2]...G[K_31]G[K_32](a_1, a_0),]]></artwork>
<artwork align="left"><![CDATA[D_(K_1,...,K_32)(a)=G^*[K_1]G[K_2]...G[
K_31]G[K_32](a_1, a_0),]]></artwork>
</figure>
<t>where a=(a_1, a_0) belongs to V_64, and a_0, a_1 belong to <t>where a=(a_1, a_0) belongs to V_64, and a_0, a_1 belong to
V_32.</t> V_32.</t>
</section> </section>
</section> </section>
<section anchor="IANA" numbered="true" toc="default">
<section anchor="IANA" title="IANA Considerations"> <name>IANA Considerations</name>
<t>This memo includes no request to IANA.</t> <t>This document has no IANA actions.</t>
</section> </section>
<section anchor="Security" numbered="true" toc="default">
<section anchor="Security" title="Security Considerations"> <name>Security Considerations</name>
<t>This entire document is about security considerations.</t> <t>This entire document is about security considerations.</t>
<t>Unlike <xref target="RFC5830" /> (GOST 28147-89), but like <xref <t>Unlike <xref target="RFC5830" format="default"/> (GOST 28147-89), but
target="RFC7801" /> this specification does not define exact block like <xref target="RFC7801" format="default"/>, this specification does
modes which should be used together with updated Magma cipher. One is not define exact block
modes that should be used together with the updated Magma cipher. One is
free to select block modes depending on the protocol and necessity.</t> free to select block modes depending on the protocol and necessity.</t>
</section> </section>
</middle> </middle>
<back> <back>
<!---->
<references title="Normative References">
<?rfc include='reference.RFC.5830.xml'?>
<?rfc include='reference.RFC.7801.xml'?> <references>
<name>References</name>
<reference anchor="GOSTR3412-2015"> <references>
<front> <name>Normative References</name>
<title>Information technology. Cryptographic data security. Block <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
ciphers. GOST R 34.12-2015</title> FC.5830.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
FC.7801.xml"/>
<author> <reference anchor="GOSTR3412-2015">
<organization>Federal Agency on Technical Regulating and <front>
<title>Information technology. Cryptographic data security. Block
ciphers.</title>
<author>
<organization>Federal Agency on Technical Regulating and
Metrology</organization> Metrology</organization>
</author> </author>
<date year="2015"/>
<date year="2015"/> </front>
</front> <seriesInfo name="GOST R" value="34.12-2015" />
</reference> </reference>
</references> </references>
<references>
<name>Informative References</name>
<references title="Informative References"> <reference anchor="GOST28147-89">
<reference anchor="GOST28147-89"> <front>
<front> <title>Cryptographic Protection for Data Processing System, GOST
<title>"Cryptographic Protection for Data Processing System", GOST
28147-89, Gosudarstvennyi Standard of USSR</title> 28147-89, Gosudarstvennyi Standard of USSR</title>
<author>
<author> <organization>Government Committee of the USSR for
<organization>Government Committee of the USSR for
Standards</organization> Standards</organization>
</author> </author>
<date year="1989"/>
<date year="1989"/> </front>
</front> </reference>
</reference> <reference anchor="ISO-IEC10116">
<front>
<reference anchor="ISO-IEC10116"> <title>Information technology -- Security techniques -- Modes of
<front> operation for an n-bit block cipher</title>
<title>Information technology - Security techniques - Modes of <author>
operation for an n-bit block cipher, ISO-IEC 10116</title> <organization>ISO/IEC</organization>
</author>
<author> <date year="2017"/>
<organization>ISO-IEC</organization> </front>
</author> <seriesInfo name="ISO/IEC" value="10116" />
</reference>
<date year="2006"/> <reference anchor="ISO-IEC18033-1">
</front> <front>
</reference> <title>Information technology -- Security techniques -- Encryption
algorithms -- Part 1: General</title>
<reference anchor="ISO-IEC18033-1"> <author>
<front> <organization>ISO/IEC</organization>
<title>Information technology - Security techniques - Encryption </author>
algorithms - Part 1: General, ISO-IEC 18033-1</title> <date year="2015"/>
</front>
<author> <seriesInfo name="ISO/IEC" value="18033-1:2015" />
<organization>ISO-IEC</organization> </reference>
</author>
<date year="2013"/>
</front>
</reference>
<reference anchor="ISO-IEC18033-3">
<front>
<title>Information technology - Security techniques - Encryption
algorithms - Part 3: Block ciphers, ISO-IEC 18033-3</title>
<author> <reference anchor="ISO-IEC18033-3">
<organization>ISO-IEC</organization> <front>
</author> <title>Information technology -- Security techniques -- Encryption
algorithms -- Part 3: Block ciphers</title>
<author>
<organization>ISO/IEC</organization>
</author>
<date year="2010"/>
</front>
<seriesInfo name="ISO/IEC" value="18033-3:2010" />
</reference>
<date year="2010"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
</front> FC.7836.xml"/>
</reference>
<?rfc include='reference.RFC.7836.xml'?> </references>
</references> </references>
<section numbered="true" toc="default">
<section title="Test Examples"> <name>Test Examples</name>
<t>This section is for information only and is not a normative part of <t>This section is for information only and is not a normative part of
the specification.</t> the specification.</t>
<section numbered="true" toc="default">
<section title="Transformation t"> <name>Transformation t</name>
<figure> <sourcecode type="test-vectors"><![CDATA[t(fdb97531) = 2a196f34,
<artwork><![CDATA[t(fdb97531) = 2a196f34,
t(2a196f34) = ebd9f03a, t(2a196f34) = ebd9f03a,
t(ebd9f03a) = b039bb3d, t(ebd9f03a) = b039bb3d,
t(b039bb3d) = 68695433.]]></artwork> t(b039bb3d) = 68695433.]]></sourcecode>
</figure>
</section> </section>
<section numbered="true" toc="default">
<section title="Transformation g"> <name>Transformation g</name>
<figure> <sourcecode type="test-vectors"><![CDATA[g[87654321](fedcba98) = fdcbc20
<artwork><![CDATA[g[87654321](fedcba98) = fdcbc20c, c,
g[fdcbc20c](87654321) = 7e791a4b, g[fdcbc20c](87654321) = 7e791a4b,
g[7e791a4b](fdcbc20c) = c76549ec, g[7e791a4b](fdcbc20c) = c76549ec,
g[c76549ec](7e791a4b) = 9791c849.]]></artwork> g[c76549ec](7e791a4b) = 9791c849.]]></sourcecode>
</figure>
</section> </section>
<section anchor="test-ks" numbered="true" toc="default">
<section anchor="test-ks" title="Key schedule"> <name>Key Schedule</name>
<t>With key set to</t> <t>With key set to</t>
<sourcecode type="test-vectors"><![CDATA[K = ffeeddccbbaa998877665544332
<figure> 21100f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff,]]></sourcecode>
<artwork><![CDATA[K = ffeeddccbbaa99887766554433221100f0f1f2f3f4f5f6f7 <t>the following round keys are generated:</t>
f8f9fafbfcfdfeff,]]></artwork> <sourcecode type="test-vectors"><![CDATA[K_1 = ffeeddcc,
</figure>
<t>following round keys are generated:</t>
<figure>
<artwork><![CDATA[K_1 = ffeeddcc,
K_2 = bbaa9988, K_2 = bbaa9988,
K_3 = 77665544, K_3 = 77665544,
K_4 = 33221100, K_4 = 33221100,
K_5 = f0f1f2f3, K_5 = f0f1f2f3,
K_6 = f4f5f6f7, K_6 = f4f5f6f7,
K_7 = f8f9fafb, K_7 = f8f9fafb,
K_8 = fcfdfeff, K_8 = fcfdfeff,
K_9 = ffeeddcc, K_9 = ffeeddcc,
K_10 = bbaa9988, K_10 = bbaa9988,
skipping to change at line 504 skipping to change at line 435
K_23 = f8f9fafb, K_23 = f8f9fafb,
K_24 = fcfdfeff, K_24 = fcfdfeff,
K_25 = fcfdfeff, K_25 = fcfdfeff,
K_26 = f8f9fafb, K_26 = f8f9fafb,
K_27 = f4f5f6f7, K_27 = f4f5f6f7,
K_28 = f0f1f2f3, K_28 = f0f1f2f3,
K_29 = 33221100, K_29 = 33221100,
K_30 = 77665544, K_30 = 77665544,
K_31 = bbaa9988, K_31 = bbaa9988,
K_32 = ffeeddcc.]]></artwork> K_32 = ffeeddcc.]]></sourcecode>
</figure>
</section> </section>
<section numbered="true" toc="default">
<section title="Test Encryption"> <name>Test Encryption</name>
<t>In this test example, encryption is performed on the round keys <t>In this test example, encryption is performed on the round keys
specified in clause <xref format="counter" target="test-ks"/>. Let the specified in Clause <xref format="counter" target="test-ks"/>. Let the
plaintext be</t> plaintext be</t>
<sourcecode type="test-vectors"><![CDATA[
<figure> a = fedcba9876543210,
<artwork><![CDATA[a = fedcba9876543210,]]></artwork> ]]></sourcecode>
</figure> <t>then</t>
<sourcecode type="test-vectors"><![CDATA[(a_1, a_0) = (fedcba98, 7654321
<t>then</t> 0),
<figure>
<artwork><![CDATA[(a_1, a_0) = (fedcba98, 76543210),
G[K_1](a_1, a_0) = (76543210, 28da3b14), G[K_1](a_1, a_0) = (76543210, 28da3b14),
G[K_2]G[K_1](a_1, a_0) = (28da3b14, b14337a5), G[K_2]G[K_1](a_1, a_0) = (28da3b14, b14337a5),
G[K_3]...G[K_1](a_1, a_0) = (b14337a5, 633a7c68), G[K_3]...G[K_1](a_1, a_0) = (b14337a5, 633a7c68),
G[K_4]...G[K_1](a_1, a_0) = (633a7c68, ea89c02c), G[K_4]...G[K_1](a_1, a_0) = (633a7c68, ea89c02c),
G[K_5]...G[K_1](a_1, a_0) = (ea89c02c, 11fe726d), G[K_5]...G[K_1](a_1, a_0) = (ea89c02c, 11fe726d),
G[K_6]...G[K_1](a_1, a_0) = (11fe726d, ad0310a4), G[K_6]...G[K_1](a_1, a_0) = (11fe726d, ad0310a4),
G[K_7]...G[K_1](a_1, a_0) = (ad0310a4, 37d97f25), G[K_7]...G[K_1](a_1, a_0) = (ad0310a4, 37d97f25),
G[K_8]...G[K_1](a_1, a_0) = (37d97f25, 46324615), G[K_8]...G[K_1](a_1, a_0) = (37d97f25, 46324615),
G[K_9]...G[K_1](a_1, a_0) = (46324615, ce995f2a), G[K_9]...G[K_1](a_1, a_0) = (46324615, ce995f2a),
G[K_10]...G[K_1](a_1, a_0) = (ce995f2a, 93c1f449), G[K_10]...G[K_1](a_1, a_0) = (ce995f2a, 93c1f449),
skipping to change at line 552 skipping to change at line 478
G[K_22]...G[K_1](a_1, a_0) = (11263a21, 625434c3), G[K_22]...G[K_1](a_1, a_0) = (11263a21, 625434c3),
G[K_23]...G[K_1](a_1, a_0) = (625434c3, 8025c0a5), G[K_23]...G[K_1](a_1, a_0) = (625434c3, 8025c0a5),
G[K_24]...G[K_1](a_1, a_0) = (8025c0a5, b0d66514), G[K_24]...G[K_1](a_1, a_0) = (8025c0a5, b0d66514),
G[K_25]...G[K_1](a_1, a_0) = (b0d66514, 47b1d5f4), G[K_25]...G[K_1](a_1, a_0) = (b0d66514, 47b1d5f4),
G[K_26]...G[K_1](a_1, a_0) = (47b1d5f4, c78e6d50), G[K_26]...G[K_1](a_1, a_0) = (47b1d5f4, c78e6d50),
G[K_27]...G[K_1](a_1, a_0) = (c78e6d50, 80251e99), G[K_27]...G[K_1](a_1, a_0) = (c78e6d50, 80251e99),
G[K_28]...G[K_1](a_1, a_0) = (80251e99, 2b96eca6), G[K_28]...G[K_1](a_1, a_0) = (80251e99, 2b96eca6),
G[K_29]...G[K_1](a_1, a_0) = (2b96eca6, 05ef4401), G[K_29]...G[K_1](a_1, a_0) = (2b96eca6, 05ef4401),
G[K_30]...G[K_1](a_1, a_0) = (05ef4401, 239a4577), G[K_30]...G[K_1](a_1, a_0) = (05ef4401, 239a4577),
G[K_31]...G[K_1](a_1, a_0) = (239a4577, c2d8ca3d). G[K_31]...G[K_1](a_1, a_0) = (239a4577, c2d8ca3d).
]]></artwork> ]]></sourcecode>
</figure>
<t>Then the ciphertext is</t> <t>Then the ciphertext is</t>
<sourcecode type="test-vectors"><![CDATA[b = G^*[K_32]G[K_31]...G[K_1](a
<figure> _1, a_0) = 4ee901e5c2d8ca3d.]]></sourcecode>
<artwork><![CDATA[b = G^*[K_32]G[K_31]...G[K_1](a_1, a_0) = 4ee901e5c2
d8ca3d.]]></artwork>
</figure>
</section> </section>
<section numbered="true" toc="default">
<section title="Test Decryption"> <name>Test Decryption</name>
<t>In this test example, decryption is performed on the round keys <t>In this test example, decryption is performed on the round keys
specified in clause <xref format="counter" target="test-ks"/>. Let the specified in <xref target="test-ks"/>. Let the
ciphertext be</t> ciphertext be</t>
<sourcecode type="test-vectors"><![CDATA[b = 4ee901e5c2d8ca3d,]]></sourc
<figure> ecode>
<artwork><![CDATA[b = 4ee901e5c2d8ca3d,]]></artwork>
</figure>
<t>then</t> <t>then</t>
<sourcecode type="test-vectors"><![CDATA[(b_1, b_0) = (4ee901e5, c2d8ca3
<figure> d),
<artwork><![CDATA[(b_1, b_0) = (4ee901e5, c2d8ca3d),
G[K_32](b_1, b_0) = (c2d8ca3d, 239a4577), G[K_32](b_1, b_0) = (c2d8ca3d, 239a4577),
G[K_31]G[K_32](b_1, b_0) = (239a4577, 05ef4401), G[K_31]G[K_32](b_1, b_0) = (239a4577, 05ef4401),
G[K_30]...G[K_32](b_1, b_0) = (05ef4401, 2b96eca6), G[K_30]...G[K_32](b_1, b_0) = (05ef4401, 2b96eca6),
G[K_29]...G[K_32](b_1, b_0) = (2b96eca6, 80251e99), G[K_29]...G[K_32](b_1, b_0) = (2b96eca6, 80251e99),
G[K_28]...G[K_32](b_1, b_0) = (80251e99, c78e6d50), G[K_28]...G[K_32](b_1, b_0) = (80251e99, c78e6d50),
G[K_27]...G[K_32](b_1, b_0) = (c78e6d50, 47b1d5f4), G[K_27]...G[K_32](b_1, b_0) = (c78e6d50, 47b1d5f4),
G[K_26]...G[K_32](b_1, b_0) = (47b1d5f4, b0d66514), G[K_26]...G[K_32](b_1, b_0) = (47b1d5f4, b0d66514),
G[K_25]...G[K_32](b_1, b_0) = (b0d66514, 8025c0a5), G[K_25]...G[K_32](b_1, b_0) = (b0d66514, 8025c0a5),
G[K_24]...G[K_32](b_1, b_0) = (8025c0a5, 625434c3), G[K_24]...G[K_32](b_1, b_0) = (8025c0a5, 625434c3),
G[K_23]...G[K_32](b_1, b_0) = (625434c3, 11263a21), G[K_23]...G[K_32](b_1, b_0) = (625434c3, 11263a21),
skipping to change at line 605 skipping to change at line 520
G[K_12]...G[K_32](b_1, b_0) = (4811c7ad, 93c1f449), G[K_12]...G[K_32](b_1, b_0) = (4811c7ad, 93c1f449),
G[K_11]...G[K_32](b_1, b_0) = (93c1f449, ce995f2a), G[K_11]...G[K_32](b_1, b_0) = (93c1f449, ce995f2a),
G[K_10]...G[K_32](b_1, b_0) = (ce995f2a, 46324615), G[K_10]...G[K_32](b_1, b_0) = (ce995f2a, 46324615),
G[K_9]...G[K_32](b_1, b_0) = (46324615, 37d97f25), G[K_9]...G[K_32](b_1, b_0) = (46324615, 37d97f25),
G[K_8]...G[K_32](b_1, b_0) = (37d97f25, ad0310a4), G[K_8]...G[K_32](b_1, b_0) = (37d97f25, ad0310a4),
G[K_7]...G[K_32](b_1, b_0) = (ad0310a4, 11fe726d), G[K_7]...G[K_32](b_1, b_0) = (ad0310a4, 11fe726d),
G[K_6]...G[K_32](b_1, b_0) = (11fe726d, ea89c02c), G[K_6]...G[K_32](b_1, b_0) = (11fe726d, ea89c02c),
G[K_5]...G[K_32](b_1, b_0) = (ea89c02c, 633a7c68), G[K_5]...G[K_32](b_1, b_0) = (ea89c02c, 633a7c68),
G[K_4]...G[K_32](b_1, b_0) = (633a7c68, b14337a5), G[K_4]...G[K_32](b_1, b_0) = (633a7c68, b14337a5),
G[K_3]...G[K_32](b_1, b_0) = (b14337a5, 28da3b14), G[K_3]...G[K_32](b_1, b_0) = (b14337a5, 28da3b14),
G[K_2]...G[K_32](b_1, b_0) = (28da3b14, 76543210).]]></artwork> G[K_2]...G[K_32](b_1, b_0) = (28da3b14, 76543210).
</figure> ]]></sourcecode>
<t>Then the plaintext is</t> <t>Then the plaintext is</t>
<sourcecode type="test-vectors"><![CDATA[a = G^*[K_1]G[K_2]...G[K_32](b_
<figure> 1, b_0) = fedcba9876543210.]]></sourcecode>
<artwork><![CDATA[a = G^*[K_1]G[K_2]...G[K_32](b_1, b_0) = fedcba98765
43210.]]></artwork>
</figure>
</section> </section>
</section> </section>
<section numbered="true" toc="default">
<section title="Background"> <name>Background</name>
<t>This specification is a translation of relevant parts of <xref <t>This specification is a translation of relevant parts of the <xref
target="GOSTR3412-2015" /> standard. The order of terms in both target="GOSTR3412-2015" format="default"/> standard. The order of terms
parts of <xref target="section_defs_notation" /> comes from original in both
text. If one combines <xref target="RFC7801" /> with this parts of <xref target="section_defs_notation" format="default"/>
document, he will have complete translation of <xref comes from the original
target="GOSTR3412-2015" /> into English.</t> text. Combining <xref target="RFC7801" format="default"/> with this
document will create a complete translation of <xref target="GOSTR3412-
<t>Algoritmically Magma is a variation of block cipher defined in 2015" format="default"/> into English.</t>
<xref target="RFC5830"/> (<xref target="GOST28147-89"/>) <t>Algorithmically, Magma is a variation of the block cipher defined in
<xref target="RFC5830" format="default"/> (<xref target="GOST28147-89" f
ormat="default"/>)
with the following clarifications and minor modifications: with the following clarifications and minor modifications:
<list style="numbers">
<t>S-BOX set is fixed at id-tc26-gost-28147-param-Z
(See Appendix C of <xref target="RFC7836" />);</t>
<t>key is parsed as a single big-endian integer (compared to little-end
ian approach used in <xref target="GOST28147-89" />),
which results in different subkey values being used;</t>
<t>data bytes are also parsed as single big-endian integer (instead of
being parsed as little-endian integer).</t>
</list>
</t> </t>
<ol spacing="normal" type="1">
<li>S-BOX set is fixed at id-tc26-gost-28147-param-Z
(See Appendix C of <xref target="RFC7836" format="default"/>);</li>
<li>key is parsed as a single big-endian integer (compared to the
little-endian approach used in <xref target="GOST28147-89"
format="default"/>),
which results in different subkey values being used;</li>
<li>data bytes are also parsed as a single big-endian integer (instead o
f being parsed as little-endian integer).</li>
</ol>
</section> </section>
</back> </back>
</rfc> </rfc>
 End of changes. 105 change blocks. 
406 lines changed or deleted 340 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/